Java 7 fails to restrict access to privileged codeby Date Published, kb.cert.org
January 16th 2013
Disable Java in web browsers
Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin.
Also note that we have encountered situations on Windows XP where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Michael Horowitz has pointed out that performing the same steps on Windows 7 will result in unsigned Java applets executing without prompting, despite what the "Security Level" slider in the Java Control panel applet is configured to use. Reinstalling Java appears to correct both of these situations.
System administrators wishing to deploy Java 7 Update 10 or later with the "Enable Java content in the browser" feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.
Restrict access to Java applets
Network administrators unable to disable Java in web browsers may be able to help mitigate this and other Java vulnerabilities by restricting access to Java applets. This may be accomplished by using proxy server rules, for example. Blocking or whitelisting web requests to .jar and .class files can help to prevent Java from being used by untrusted sources. Filtering requests that contain a Java User-Agent header may also be effective. For example, this technique can be used in environments where Java is required on the local intranet. The proxy can be configured to allow Java requests locally, but block them when the destination is a site on the internet.
Original Page: http://pocket.co/sGv3f
Shared from Pocket